zX2ywhkDUbV2NnFUzGPbk+eW05tnENovpuoVU X-Google-Smtp-Source: AGHT+IF0uO2UWWTSF2elnUOaeaFf+E4ZQWE3a3O5Pw5Fd9GQuCoKNvEHSrCqihSk3uIhB2c7K6BHMLBwsGV5WaWO/fE= X-Received: by 2002:a05:6402:2786:b0:582:7e6d:6816 with SMTP id 4fb4d7f45d1cf-5879f0c6348mr5122790a12.8.1719874407739; Mon, 01 Jul 2024 15:53:27 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 References: <086405e2-8fc2-4463-b8bb-d6c652745ae1@freebsd.org> In-Reply-To: <086405e2-8fc2-4463-b8bb-d6c652745ae1@freebsd.org> From: Michael Proto Date: Mon, 1 Jul 2024 18:53:16 -0400 Message-ID: Subject: Re: FreeBSD 14.x localhost source address To: Craig Leres Cc: freebsd-stable@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; R_DKIM_ALLOW(-0.20)[jellydonut.org:s=google]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; FREEFALL_USER(0.00)[mike]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[jellydonut.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52f:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[jellydonut.org:+] X-Rspamd-Queue-Id: 4WChCs3jnmz4GZF On Sat, Jun 29, 2024 at 8:17=E2=80=AFPM Craig Leres wro= te: > > When I upgraded ~10 systems from 13.3 to 14.1 recently, 90%+ of my > breakage was due to the localhost source address changing from 127.0.0.1 > to 127.0.0.2. This was on two of my systems. > > My lo0 config is standard: > > mote 20 % ifconfig lo0 > lo0: flags=3D1008049 metric = 0 > mtu 16384 > options=3D680003 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > groups: lo > nd6 options=3D21 > > What's different on the two problematic systems is that they are > authoritative nameservers. Following best practices, I use the (bind) > server for authoritative queries and unbound for recursive resolver > duties. The way I did this was to configure unbound to listen on > 127.0.0.2 and then change /etc/resolv.conf to use "nameserver > 127.0.0.2". (Which reminds me of another 14.X breakage -- unbound is no > longer able to provide me with authoritative sshfp records!) > > For 14.1 at least, this has the side effect that the source address for > anything in the 127.0.0.0/8 domain becomes 127.0.0.2 instead of 127.0.0.1= . > > Given a host that has unbound listening on 127.0.0.2: > > mote 133 # lsof -np `cat /usr/local/etc/unbound/unbound.pid` | > fgrep domain > unbound 39496 unbound 3u IPv4 0xfffff8001ee56000 0 > UDP 127.0.0.2:domain->*:* > unbound 39496 unbound 4u IPv4 0xfffff80037c2ea80 0 > TCP 127.0.0.2:domain->*:* (LISTEN) > > you can see this with the iperf3 port. Start the server side with: > > iperf3 -s 127.0.0.1 > > and connect using: > > iperf3 -c 127.0.0.1 > > The server session will report: > > Accepted connection from 127.0.0.2, port 37306 > > I believe my configuration is far enough off the well-traveled path that > I'm the first to notice this. But there are definitely some programs > (e.g. sendmail/opendkim which appears to sign messages from 127.0.0.1 > but not from 127.0.0.2!) that are hardwired to know about 127.0.0.1 and > deal with it specially/differently... > > Craig > What netmask are you using for 127.0.0.2? I'd treat it as I would an IP alias (only on localhost) with a /32 netmask, should keep it isolated. Just tried it myself on a test box and iperf works as expected, using 127.0.0.1 as the source when connecting. -Proto